Kontakt +49 661 9642-0


What requirements must a GDPR-compliant CRM system meet?

Data protection is a sensitive topic today. The EU General Data Protection Regulation (EU GDPR for short) strictly regulates the use of personal data (hereinafter: personal data), non-compliance with which can sometimes lead to very high fines.

A representative Survey by the digital association Bitkom in 2020 found that by September of that year, only 20% of the 500 companies surveyed had fully implemented the GDPR. 56% even stated that innovative business projects had failed due to the GDPR.

But more than half also thought the GDPR set global standards for handling personal data and brought competitive advantages for EU companies.

GDPR in CRM title image for wiki page from GEDYS IntraWare
GDPR in CRM title image for wiki page from GEDYS IntraWare

In 2022, according to a survey by Statista on the status of implementation of the GDPR in Germany, 22% of the companies surveyed have still not fully implemented the GDPR and 33% have only partially implemented it. The topic of CRM and GDPR therefore remains topical.

For the management of successful customer relationships, the collection and processing of personal data in a CRM system is indispensable. And this is not only in the interest of the companies, but also in the interest of the customers and interested parties. For this reason, we have compiled important information on the GDPR in CRM for you here in compact form.

1. The EU-GDPR compact

Since May 25, 2018, the EU GDPR has been in force throughout Europe and regulates the handling of personal data by companies and public bodies.

The broad aim is to strengthen personal rights to informational self-determination. The EU GDPR applies to all companies in the EU that store and process personal data. But beware: Companies outside the EU must also comply with the GDPR if they offer their services or products to EU citizens and collect and use their data in the process!

2. What are personal data?

Personal data means any information relating to an identified or identifiable natural person. Info in the business environment can also be personal data.

GDPR in CRM: personal data, GEDYS IntraWare
GDPR in CRM: personal data, GEDYS IntraWare
  • First name and surname
  • Address
  • Gender
  • Phone number
  • Email address
  • IP address
  • Contact details of contact persons at
    Customers or suppliers
  • IP addresses of website visitors
  • List of newsletter recipients

3. What does the “processing of personal data” mean?

The “processing” of personal data basically means any handling of the data described in point 2.

  • Elicit (e.g. by questionnaire)
  • Capture (e.g. via form, software or camera)
  • Save (e.g. in a database, Excel file or record)
  • Change (e.g. Update)
  • Transmit (e.g., to a government agency or an affiliated company).
  • Matching and linking
  • Lock or delete

Examples from everyday practice would include storing contact details of your customers’ contacts (B2B) in your CRM system or collecting addresses for newsletter distribution or simply taking an order.

By the way, this also includes the recording of personal information of applicants for a vacant position in your company.

4. Personal data in the company

4.1 Why do companies need personal data?

When selling products and services, you need to convince potential customers of your quality. To do this, you need to know a lot about your future customers so that you can then choose the right approach and the right communication channels. For each channel you need address data of your recipients, for email marketing and newsletters, for example, you need entire lists of recipients right away. But you also need personal data for commercial processes.

4.2 Which departments work with the personal data?

The first thing that comes to mind is purchase processing and accounting. But in fact, several other departments work with your customers’ personal data before or after the purchase. For example, there’s your marketing chasing new leads, your sales recruiting new customers, or even your service taking care of your customers.

4.3 Is the handling of employee data also regulated in the GDPR?

The GDPR not only protects customer data, but also employee data – from the application to the end of employment.

The GDPR stipulates that personal data, including employee data, may only be processed if this is permitted by a specific legal basis or the employee’s consent. This legal basis is found in the German Federal Data Protection Act (BDSG). This means that employers may process such personal data as is necessary for the commencement, performance or termination of an employment relationship even without consent.

GDPR IN CRM: user management, GEDYS-IntraWare
GDPR IN CRM: user management, GEDYS-IntraWare

Today, the most important employee data is mostly collected in a digital personnel file. The employer must protect this file from outside access. In addition, employee data is needed for user administrations to securely regulate access rights to digital applications and customer data.

4.4 What software do you need to manage personal data?

For DSGVO-compliant management of personal data, you need CRM software that ensures the rights and security of your customers and thus at the same time saves you from risking high fines in case of process errors. Transparency, optimally coordinated processes and central data storage for a full overview support the regulations of the GDPR in CRM better than a collection of Excel sheets distributed across various servers.

5. When is the processing of personal data
allowed in CRM?

5.1 Legality
to the processing of personal data is given if the GDPR permits it. To do so, there must be a “legal basis” for the processing as follows:

  • Execution of the contract: the processing is necessary for the execution of a contract with the person, such as using the address of the customer to ship the ordered product.
  • Compliance with laws: Data processing is necessary to fulfill legal obligations, such as retrieving and storing the identification data of contractual partners in accordance with the Money Laundering Act.
  • Legitimate interests: The Company pursues a legitimate interest with the processing. No less drastic alternatives exist. The conflicting interests of the persons concerned do not prevail. Such as viewing the business letters of a sick employee to handle urgent customer inquiries.
  • Consent: The data subject has informed himself and clearly consented to the use of data, such as a customer who signs up for the newsletter.

5.2 Earmarking:
Use data only for the purposes for which it was originally collected or that are compatible with those original purposes.

5.3 Data minimization:
Do not collect and use more data than necessary for the specific purpose (no retention). Example: The request of name and employer for sending newsletters is not necessary.

5.4 Storage limitation: Delete personal data when it is no longer required. For example, after expiry of the legal
retention period after 10 years.

5.5 Correctness:
Correct incorrect or incomplete data.

5.6 Data security:
Protect data sufficiently against access by unauthorized persons, against loss and falsification. Compliance with data security according to DSGVO in CRM is ensured, for example, by role concepts, passwords, encryption and a firewall.

Attention: processing ban for sensitive data

In some cases, the GDPR imposes additional requirements on data handling. These also apply to the GDPR in CRM:
A general ban on processingapplies to sensitive data. This applies, for example, to data on health, religion, political opinions, trade union membership or sexual life. Only in the case of justified exceptions and under particularly strict conditions is processing permitted, such as consent, labor law and social security obligations, etc.

6. GDPR in CRM

This is what your CRM must offer functionally for GDPR-compliant data processing

For compliance with GDPR requirements, a whole host of functions and coordinated processes can of course make your day-to-day work easier. We have collected here the core functionalities that your CRM system must definitely offer in order to be GDPR-compliant.

Right to information/ disclosure

A person wants to know what personal data is stored about him. It may also ask for what purpose the data is processed or in what processing the personal data is used. You are required to answer these questions.

This applies, for example, to mailings and evaluations with mailing programs, use in campaigns, in the service desk or in third-party systems.

Right to be forgotten

A person wants his or her personal data to be deleted. This is possible only if other laws do not require that the personal data be preserved or some other interest dictates that such data be preserved.

Other laws are for example
– Commercial law
– Tax law
– Criminal law


Whenever personal data is collected, modified, deleted, combined or processed, this must be logged.

In CRM possible via the document history. It is noted here: Who has what, when and why. All histories are available at any time.

Obligation to provide proof

The storage of personal data requires the consent of the person concerned. The consent must be documented in writing.

In CRM, for example, via a scanned business card, by e-mail or via a form with double opt-in.

Data economy

Personal data collected must be adequate for the purpose and also limited to a necessary extent. Moreover, they are to be kept only as long as they are actually needed.

The implementation of a deletion concept in CRM is necessary.

Right to data portability

Individuals have a right to have their personal data provided in a commonly used format.

From CRM, for example, this is possible via “Contact at a glance” as an Excel export.

Right to Restrict processing

Personal data may be retained but may NOT be processed automatically.

Personal data may therefore only be stored in the CRM, and use is only permitted if consent has been obtained.

Right to object

A person may object to the processing of his/her personal data. You must be informed of your right to object at the time of the first communication.

After a person has objected, their data must be inactive in the CRM & must not be processed automatically.


Users of a personal data processing system may only have access to the data that corresponds to their access authorization. All functions to view data or export it must be protected accordingly.

This is ensured in CRM via role-based access rights.

7. Where is the personal data securely stored according to the GDPR?

In some cases, the GDPR imposes additional requirements on data handling. When exporting data, an adequate level of data protection must also be ensured when data is transferred to entities outside the European Union and the European Economic Area.

For certain countries, the EU Commission has decided that their data protection laws are sufficient (e.g. for Japan, Israel, Switzerland). For all other countries, special contracts usually have to be concluded with the data recipients. Companies in the U.S. were able to certify under the Privacy Shield until recently, thus ensuring the level of data protection. Attention! The Privacy Shield agreement has been declared invalid by the European Court of Justice. There is currently no new agreement or anything similar.

Read also the blog article: CRM Hosting in Germany

8. Who is liable for violations?

In the event of a violation, the company is liable. Some companies have now received extremely high penalty notices. To ensure that this does not happen, you must carefully check the DSGVO in CRM in your company with regard to function, data storage and interfaces.

If you protect the data in your own data center, you have sovereignty and always know what happens to it. And hosting providers in Germany and Europe are also obliged to work according to the GDPR. You, on the other hand, are liable for infringements from platforms outside Europe.

The specificity of data management to each CRM offering (on-prem, cloud, SaaS, interfaces) will also be covered in the following blog articles:

9. Conclusion:
The right CRM helps your company enormously with the implementation of the EU GPDR

With the use of a GDPR-compliant CRM system, you simplify the adaptation to the EU regulation by quite a bit. Your employees will be data protection compliant in no time! Because you save yourself the effort of adapting your workflows individually just to ensure that your employees work according to the new guidelines. In addition, you strengthen the trust of your customers and prospects in your company and you do not lose important customer information, which serves your company as a basis for growth and innovation. German CRM providers will support the implementation of the GDPR.

Watch the developments of the EU Commission. Other legislative proposals are already being discussed: The one presented at the end of 2020 Data Governance Act is a further step by the Commission to position the EU as a data protection pioneer and to turn the issue of data protection into a competitive advantage .